Block Evasive Applications — Configuration Example

Evasive applications use dynamic ports and protocols, encryption and other techniques to make the application traffic difficult to detect and manage. The objective of this configuration example is to show how you can block Ultrasurf with WatchGuard Firebox policies and subscription services. You can use a similar strategy to block other types of evasive applications on your network.

This configuration example assumes you have an existing Firebox configured with HTTP and HTTPS proxy policies.

These steps are provided as a basic guide. Your network environment might require additional configuration settings.

Application Control and WebBlocker Configuration

To completely block Ultrasurf traffic, you must create a layered defense strategy of Firebox services. The first step is to deny Ultrasurf web pages (*ultrasurf*/*) so that users cannot download the application. This is done via an HTTPS proxy with content inspection and WebBlocker.

To prevent the download of Ultrasurf :

  1. In Application Control, configure an action to drop all traffic for the Ultrasurf application and other tunneling and proxy services.
    1. In the Edit Application Control Action dialog box, click Select by Category.
    2. Select the Tunneling and proxy services check box.
    3. From the drop-down list, select Drop.
  2. Apply the Application Control action to your HTTP and HTTPS proxies.

    3. You must enable content inspection on the HTTPS proxy for Application Control to be effective.

  3. In WebBlocker, to deny proxy avoidance applications like Ultrasurf, on the Categories tab, select Information Technology > Proxy Avoidance.
  4. On the Exceptions tab, add an exception to deny *ultrasurf*/*.
  5. Apply the WebBlocker action to your HTTP and HTTPS proxies.​​​

Firebox Configuration

Ultrasurf is a proxy-based application that allows Internet users to bypass firewalls and to surf the web anonymously. With Ultrasurf, users can avoid filtering rules that you create and enforce with WatchGuard WebBlocker. Ultrasurf hides your IP address and clears browsing history and cookies. It attempts to use alternate pathways if a connection is blocked.

The next layer of defense is to configure the Firebox to prevent connections from Ultrasurf. We recommend you complete this configuration for both current and legacy versions of Ultrasurf.

  1. Configure an HTTPS proxy with content inspection in the proxy action.
  2. Configure content inspection to inspect all domains.
    To use content inspection with an HTTPS proxy, you require a certificate for content inspection. For information on HTTPS proxy authority certificate options, see Use Certificates with Outbound HTTPS Proxy Content Inspection.
  3. In the HTTPS proxy action, edit the TLS profile.
    1. In the Minimum Protocol Version drop-down list, select TLS v1.1.
      When this option is selected, the TLS profile allows only traffic that is compliant with TLS 1.1 and later.At this time, most Ultrasurf public proxies use TLS 1.0.
    2. Select the Allow only TLS-compliant traffic check box.
      When you select the Allow only TLS-compliant traffic check box, it may cause other applications to be unable to connect. It will not impact HTTPS web browsing. Ultrasurf displays as connected but web browsing through Ultrasurf will fail.
  1. Configure DNSWatch or an outgoing DNS-proxy to deny queries for Ultrasurf domains (for example, ultrasurf.com, ultrasurf.us, ultrasurfing.com, sni.cloudflaressl.com).
  2. Configure an HTTPS-proxy with content inspection in the proxy action.
  3. Configure content inspection to inspect all domains.
  4. In the HTTPS proxy action, enable the Application Control action that blocks Ultrasurf and other tunneling and proxy services.
    1. In the Edit Application Control Action dialog box, click Select by Category.
    2. Select the Tunneling and proxy services check box.
    3. Select Drop from the drop-down list.
  5. In the outbound DNS policy, on the Policy tab, add all public and private DNS server IPs to the To list.
    Make sure that the outbound DNS policy does not include Any-External in the To list.

How It Works

Many proxy avoidance applications use a similar set of strategies to try to connect to their servers. Typically, the application first sends DNS queries to find a server. Then it tries to connect to the server on HTTP port 80 and then on HTTPS port 443. Some applications try to build an SSL tunnel on either the standard port 443, or another port, such as TCP 53 or another dynamically selected port. If all of this fails, the application could try to connect to backup servers located on popular and often allowed data centers such as Microsoft or Amazon Web Services. Another strategy includes attempts to download another executable while the application continues to repeatedly try to connect to a server.

To detect these types of applications, you must configure proxies and services with appropriate settings, and enable logging for reports. It is also important to regularly monitor log files and reports to keep up with the new trends in network activity as updates of those applications become available.

This configuration example uses a combination of policies and services to block the strategies used by Ultrasurf:

  • Proxy Policies — Proxy policies examine all outgoing HTTP, HTTPS, and DNS connections, and deny or block connections or content that could represent a threat. They also use configured services and other configuration settings to examine connections and content to determine whether to allow a connection. Proxy policies enforce protocols. For example, if a tunneling application attempts to send traffic over TCP/UDP 53 and a DNS proxy is in place, then the traffic will fail as the tunnel traffic is not DNS-compliant.
  • Application Control — Application Control drops connections for applications in the Tunneling and proxy services category and other application categories that could represent a threat. Application Control is enabled for all outgoing browsing policies.
  • WebBlocker — WebBlocker blocks connections to websites in the proxy avoidance category and other categories that could represent a threat. The WebBlocker configuration is used by the HTTP-proxy and HTTPS-proxy actions.

You can apply the same type of configuration strategies to protect against advanced malware and other evasive applications. To do this, you would configure other security services such as Gateway AntiVirus, Botnet Detection, APT Blocker, Reputation Enabled Defense, and Intrusion Prevention Services. We recommend that you monitor log messages and reports regularly to help identify new threats, so you can update the configuration as threats and application behaviors evolve.

Related Topics

About Application Control

Enable Application Control in a Policy

Manage Evasive Applications

Use Certificates with Outbound HTTPS Proxy Content Inspection